CVE-2026-7604
Deferred Deferred - Pending Action
Server-Side Request Forgery in JeecgBoot

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: VulDB

Description
A vulnerability was identified in JeecgBoot up to 3.9.1. This affects the function OpenApiController.add/OpenApiController.call of the file OpenApiController.java of the component OpenApi Service. Such manipulation of the argument originUrl database leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. It is suggested to upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7604
EUVD
EUVD-2026-26739
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jeecgboot jeecgboot to 3.9.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a second-order Server-Side Request Forgery (SSRF) in the OpenApi service of JeecgBoot versions up to 3.9.1. It occurs because the application does not properly validate or authorize URLs submitted to the /openapi/add endpoint, allowing authenticated users to inject malicious URLs into the originUrl database field.

Later, when the /openapi/call/{path} endpoint is accessed, the application retrieves the unvalidated URL and makes an outbound HTTP request to it. This enables attackers to make the server send requests to arbitrary internal or external resources, potentially bypassing network segmentation and accessing sensitive internal services.

The vulnerability arises from missing permission checks and inadequate URL validation in the OpenApiController.add() and OpenApiController.call() methods.

  • Step 1: An attacker sends a POST request to /openapi/add with a malicious URL in the originUrl field.
  • Step 2: The attacker triggers the SSRF by accessing /openapi/call/{path}, causing the server to fetch the injected malicious URL.
Impact Analysis

This vulnerability can have several impacts including allowing attackers to bypass network segmentation and scan internal services that are not normally accessible from outside.

Attackers can exfiltrate sensitive data such as cloud metadata or local credentials by forcing the server to make requests to internal or protected resources.

Because the exploit can be launched remotely by authenticated users, it increases the risk of unauthorized access and data leakage within your environment.

Detection Guidance

This vulnerability can be detected by monitoring and testing the behavior of the /openapi/add and /openapi/call/{path} endpoints in JeecgBoot up to version 3.9.1. Specifically, detection involves checking if it is possible to inject and trigger malicious URLs via these endpoints.

  • Send a POST request to /openapi/add with a crafted payload containing a malicious URL in the originUrl field to see if the server accepts and stores it.
  • Trigger the SSRF by sending a request to /openapi/call/{path} where {path} corresponds to the injected entry, and observe if the server makes an outbound HTTP request to the malicious URL.
  • Use network monitoring tools to detect outbound HTTP requests from the server to unexpected internal or external addresses after triggering the /openapi/call/{path} endpoint.
  • Example command using curl to test injection: curl -X POST -H "Content-Type: application/json" -d '{"originUrl":"http://malicious.example.com"}' http://target-server/openapi/add
  • Example command to trigger SSRF: curl http://target-server/openapi/call/{path}
Mitigation Strategies

The immediate mitigation step is to upgrade the affected JeecgBoot component to a version where the vulnerability is fixed once the vendor releases the patch.

Until an official fix is available, restrict access to the /openapi/add and /openapi/call/{path} endpoints to trusted and authenticated users only, and implement strict input validation and authorization checks to prevent injection of malicious URLs.

Additionally, monitor and block unexpected outbound HTTP requests from the server to prevent exploitation of SSRF.

Compliance Impact

The vulnerability in JeecgBoot allows attackers to perform server-side request forgery (SSRF), which can lead to unauthorized access to internal services and exfiltration of sensitive data such as cloud metadata or local credentials.

Such unauthorized data access and potential data leakage could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to prevent unauthorized disclosure.

Because the exploit enables attackers to bypass network segmentation and access internal resources, it increases the risk of data breaches, which are subject to regulatory reporting and penalties under these standards.

Therefore, until the vulnerability is fixed, affected systems may be at higher risk of non-compliance with common security and privacy regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7604. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart